-
Notifications
You must be signed in to change notification settings - Fork 36
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Replace python dataclasses with pydantic dataclasses (#674)
* fix unit test (#669) * fix unit test * add some comments explaining why we're doing it this way also use with... syntax to reduce filehandler boilerplate * use pydantic dataclasses makes json roundtrip easier also prepares for FastAPI adoption # Conflicts: # src/ssvc/_mixins.py # src/ssvc/decision_points/cvss/base.py # src/ssvc_v2.py * black reformat * fix unit tests * black reformat * use native python types * update dependencies * wrap scripts in main() func * regenerate with indented json * black reformat * add placeholder test
- Loading branch information
1 parent
e95399a
commit 2dd69f0
Showing
92 changed files
with
1,698 additions
and
256 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1,20 @@ | ||
| {"namespace": "cvss", "version": "3.0.0", "schemaVersion": "1-0-1", "key": "AC", "name": "Attack Complexity", "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."}, {"key": "H", "name": "High", "description": "A successful attack depends on conditions beyond the attacker's control."}]} | ||
| { | ||
| "namespace": "cvss", | ||
| "version": "3.0.0", | ||
| "schemaVersion": "1-0-1", | ||
| "key": "AC", | ||
| "name": "Attack Complexity", | ||
| "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.", | ||
| "values": [ | ||
| { | ||
| "key": "L", | ||
| "name": "Low", | ||
| "description": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component." | ||
| }, | ||
| { | ||
| "key": "H", | ||
| "name": "High", | ||
| "description": "A successful attack depends on conditions beyond the attacker's control." | ||
| } | ||
| ] | ||
| } |
21 changes: 20 additions & 1 deletion
21
data/json/decision_points/cvss/attack_complexity_3_0_1.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1,20 @@ | ||
| {"namespace": "cvss", "version": "3.0.1", "schemaVersion": "1-0-1", "key": "AC", "name": "Attack Complexity", "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ", "values": [{"key": "L", "name": "Low", "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "}, {"key": "H", "name": "High", "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."}]} | ||
| { | ||
| "namespace": "cvss", | ||
| "version": "3.0.1", | ||
| "schemaVersion": "1-0-1", | ||
| "key": "AC", | ||
| "name": "Attack Complexity", | ||
| "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ", | ||
| "values": [ | ||
| { | ||
| "key": "L", | ||
| "name": "Low", | ||
| "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. " | ||
| }, | ||
| { | ||
| "key": "H", | ||
| "name": "High", | ||
| "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place." | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1,20 @@ | ||
| {"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "AT", "name": "Attack Requirements", "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.", "values": [{"key": "N", "name": "None", "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."}, {"key": "P", "name": "Present", "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."}]} | ||
| { | ||
| "namespace": "cvss", | ||
| "version": "1.0.0", | ||
| "schemaVersion": "1-0-1", | ||
| "key": "AT", | ||
| "name": "Attack Requirements", | ||
| "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.", | ||
| "values": [ | ||
| { | ||
| "key": "N", | ||
| "name": "None", | ||
| "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability." | ||
| }, | ||
| { | ||
| "key": "P", | ||
| "name": "Present", | ||
| "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack." | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1,30 @@ | ||
| {"namespace": "cvss", "version": "3.0.0", "schemaVersion": "1-0-1", "key": "AV", "name": "Attack Vector", "description": "This metric reflects the context by which vulnerability exploitation is possible. ", "values": [{"key": "P", "name": "Physical", "description": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."}, {"key": "L", "name": "Local", "description": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."}, {"key": "A", "name": "Adjacent", "description": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."}, {"key": "N", "name": "Network", "description": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."}]} | ||
| { | ||
| "namespace": "cvss", | ||
| "version": "3.0.0", | ||
| "schemaVersion": "1-0-1", | ||
| "key": "AV", | ||
| "name": "Attack Vector", | ||
| "description": "This metric reflects the context by which vulnerability exploitation is possible. ", | ||
| "values": [ | ||
| { | ||
| "key": "P", | ||
| "name": "Physical", | ||
| "description": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent." | ||
| }, | ||
| { | ||
| "key": "L", | ||
| "name": "Local", | ||
| "description": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file." | ||
| }, | ||
| { | ||
| "key": "A", | ||
| "name": "Adjacent", | ||
| "description": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)." | ||
| }, | ||
| { | ||
| "key": "N", | ||
| "name": "Network", | ||
| "description": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)." | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1,30 @@ | ||
| {"namespace": "cvss", "version": "3.0.1", "schemaVersion": "1-0-1", "key": "AV", "name": "Attack Vector", "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.", "values": [{"key": "P", "name": "Physical", "description": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."}, {"key": "L", "name": "Local", "description": "The vulnerable system is not bound to the network stack and the attacker\u2019s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."}, {"key": "A", "name": "Adjacent", "description": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."}, {"key": "N", "name": "Network", "description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed \u201cremotely exploitable\u201d and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."}]} | ||
| { | ||
| "namespace": "cvss", | ||
| "version": "3.0.1", | ||
| "schemaVersion": "1-0-1", | ||
| "key": "AV", | ||
| "name": "Attack Vector", | ||
| "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.", | ||
| "values": [ | ||
| { | ||
| "key": "P", | ||
| "name": "Physical", | ||
| "description": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent." | ||
| }, | ||
| { | ||
| "key": "L", | ||
| "name": "Local", | ||
| "description": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)." | ||
| }, | ||
| { | ||
| "key": "A", | ||
| "name": "Adjacent", | ||
| "description": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)." | ||
| }, | ||
| { | ||
| "key": "N", | ||
| "name": "Network", | ||
| "description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)." | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1,20 @@ | ||
| {"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "Au", "name": "Authentication", "description": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.", "values": [{"key": "N", "name": "Not Required", "description": "Authentication is not required to access or exploit the vulnerability."}, {"key": "R", "name": "Required", "description": "Authentication is required to access and exploit the vulnerability."}]} | ||
| { | ||
| "namespace": "cvss", | ||
| "version": "1.0.0", | ||
| "schemaVersion": "1-0-1", | ||
| "key": "Au", | ||
| "name": "Authentication", | ||
| "description": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.", | ||
| "values": [ | ||
| { | ||
| "key": "N", | ||
| "name": "Not Required", | ||
| "description": "Authentication is not required to access or exploit the vulnerability." | ||
| }, | ||
| { | ||
| "key": "R", | ||
| "name": "Required", | ||
| "description": "Authentication is required to access and exploit the vulnerability." | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1,25 @@ | ||
| {"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "Au", "name": "Authentication", "description": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.", "values": [{"key": "M", "name": "Multiple", "description": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time."}, {"key": "S", "name": "Single", "description": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)."}, {"key": "N", "name": "None", "description": "Authentication is not required to exploit the vulnerability."}]} | ||
| { | ||
| "namespace": "cvss", | ||
| "version": "2.0.0", | ||
| "schemaVersion": "1-0-1", | ||
| "key": "Au", | ||
| "name": "Authentication", | ||
| "description": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.", | ||
| "values": [ | ||
| { | ||
| "key": "M", | ||
| "name": "Multiple", | ||
| "description": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time." | ||
| }, | ||
| { | ||
| "key": "S", | ||
| "name": "Single", | ||
| "description": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)." | ||
| }, | ||
| { | ||
| "key": "N", | ||
| "name": "None", | ||
| "description": "Authentication is not required to exploit the vulnerability." | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1,25 @@ | ||
| {"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "A", "name": "Availability Impact", "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the target system.", "values": [{"key": "N", "name": "None", "description": "No impact on availability."}, {"key": "P", "name": "Partial", "description": "Considerable lag in or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete."}, {"key": "C", "name": "Complete", "description": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable."}]} | ||
| { | ||
| "namespace": "cvss", | ||
| "version": "1.0.0", | ||
| "schemaVersion": "1-0-1", | ||
| "key": "A", | ||
| "name": "Availability Impact", | ||
| "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the target system.", | ||
| "values": [ | ||
| { | ||
| "key": "N", | ||
| "name": "None", | ||
| "description": "No impact on availability." | ||
| }, | ||
| { | ||
| "key": "P", | ||
| "name": "Partial", | ||
| "description": "Considerable lag in or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete." | ||
| }, | ||
| { | ||
| "key": "C", | ||
| "name": "Complete", | ||
| "description": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable." | ||
| } | ||
| ] | ||
| } |
Oops, something went wrong.